Cybercrime is a new frontier for legal issues and proves to be difficult for lawmakers to fully comprehend its interplay between the virtual and real world. As our world is more intricately tied to virtual infrastructure, the legal precedent for dealing with cybercrime is not effective in dealing with the real-world consequences. This research project addresses the technological and societal threats that necessitated the need for rapid adoption of cybercrime laws in the United States as well as examples of their application in a variety of incidents. This paper will focus on and examine how the U.S. government has taken reactive versus proactive measures in ensuring the safety of our people, key infrastructure and private sector when it comes to cybercrime. Current legislation and its efficacy with respect to these facets of U.S. society will also be critically analyzed to address why it is important. Inadequate cybercrime laws will be shown to have been responsible for major issues in crimes having to do with intellectual property, national security, fraud, identity theft, and privacy.
While technology has paved the way for new ways to communicate, do business and make life easier, it has also opened the doorway for innovative and destructive forms of criminal activity. Mainly, cybercrimes have become commonplace in the world we live in and they are continuing to happen. Various aspects of our society have been impacted by cybercrime. For example, terrorists use the internet to recruit followers and gain funding for malicious projects against first world countries like the United States. Lower threat criminals also engage in cybercrime activity in order to steal from consumers, companies, and organizations. Given the rapid nature of technological development, cybercriminals are continuously innovating and finding ways to circumvent security systems in order to compromise intellectual property, sensitive information, and government records. Nations like the U.S. face a major challenge when it comes to combating cybercrime in all its forms. While the U.S. has been somewhat responsive to the criminal cyber activity that our world is facing, its overall efficacy and legislative implementation rate have been slow and ineffective; consequently, rapid and effective legislation is needed in order to fight against this digital threat.
While we consider cybercrimes to be a recent phenomenon brought on by the age of the internet and computers, cybercrimes date back to the 19th century. For instance, while the invention of the loom by Joseph-Marie Jacquard in 1820 was a major milestone for the fabric industry, employees soon felt threatened by the technology’s ability to replace their job. Employees took corrective action by trying to alter the functionality of it so that its usage would be discouraged. In this instance, the first recorded case of cybercrime came to existence. Since then, numerous other instances have led up to the threat that we face today.
AT&T’s Historic Misfortune. In 1971, AT&T found out the hard way that their call network could be exploited by using the tones found inside Captain Crunch cereal boxes. John Draper built a device called a “blue box” that gave users the ability to place long-distance calls without having to pay the company. Surely, this was a serious incident that set a precedent for hobbyists and technical experts to exploit other systems that were vulnerable. AT&T was the victim of another crime in 1981 whereby Ian Murphy circumvented network security of the company servers in order to change billing times so that people could pay less during normal business hours. Numerous other instances reflected how financial institutions were targets for cyber fraud.
Banking Under Attack. The threat of cybercrime came to prominence when major financial institutions started getting compromised. For instance, 1973 featured cases where bank tellers utilized computers in order to embezzle millions of dollars. Even with the internet company PayPal, hacker embezzled millions of dollars per month while the company was still building its infrastructure (Caulfield, 2011). These major financial institutions were somewhat powerless because they could not easily identify the culprits responsible. The VL Bank case is another example. Nonetheless, major attacks to key aspects of U.S. infrastructure became commonplace throughout the 1990s.
It is important to consider that the federal government is responsible for cybersecurity of its own key infrastructural institutions; moreover, it has an obligation to work with the private sector to protect the interests of the American people. As a division within the Department of Homeland Security, the Office of Cybersecurity and Communications is the regulatory agency that ensures the nation’s digital well-being (CS&C). While this agency cannot mandate laws, it does work with other bodies of government in order to help initiate legislation. The agency “serves as a 24/7 cyber monitoring, incident response, and management center and as a national point of cyber and communications incident integration” (CS&C). Crisis response and resolution is a principle objective of this institution. However, the vast scope of cybersecurity implies that the private sector, as well as various non-profit organizations, do their part in making sure that American peoples’ interests are being taken into account.
When it comes to initiating legislation, the government is ultimately accountable for efforts to ensure that the laws fall in line with the dangers that we face on a daily basis. Companies and other institutions can only do their part by lobbying and bringing forth support for legislation that they want to get passed. However, many times the interest of the private sector does not fall in line with the people. According to Amitai Etzoni (2011) in Cybersecurity in the Private Sector, while businesses have suffered the greatest losses in terms of monetary suffering, they “maintain one version or another of a libertarian or conservative laissez-faire approach, basically holding that they are best left alone, not regulated, free to follow their own courses” (p. 59). Essentially, they manage losses as part of their normal course of business and generally will not publically support policies that are indicative of more government regulation. Consequently, it is truly up to the federal government to protect the rights and interests of the people against cybercrimes.
A major reason for legislative intervention is because the U.S. government and the people have taken reactive measures versus proactive. For example, John Brennan (2012), a Lieutenant Colonel of the United States Army remarked in a report on cyber terrorism that waiting for true disaster to happen is not a good approach: “…now is the time to coalesce national CT cyber policy, law, and strategy into an effective triumvirate—and not after a “digital mushroom cloud” has appeared on the horizon” (p. 21). That is, proper safety measures will be much more efficient in reducing cybercrime before it even happens in the first place. On a government level, this has not been the case as the U.S. has been merely keeping up with recent attacks from dangerous organizations like Al-Qa’ida, or even domestic threats such as Edward Snowden (Brennan, 2012). However, businesses and individuals have been more conscious of the problem since the early days of the internet. For instance, Provos, Rajab, and Mavrommatis (2009) argued noted web-based attacks heavily range in their scope and severity: false downloads, malware, website redirects, social engineering, and email. Many of these security concerns have been adequately handled by companies and awareness organizations sponsored by the public.
Unfortunately, there is still a wide gap between the desired security level that people need and the actual scope of the problem. Much of the public is still unaware of the widespread nature of cybercrime and how it affects their lives every day. Ngo and Paternoster’s (2011) study of cybercrime victimization in Cybercrime Victimization: An examination of Individual and Situational level factors found that most of the subjects were either completely oblivious to the potential threats or had a false sense of security when it came to managing their digital lives in finance, personal health, communication and more. It is the U.S. government’s job to ensure the security and well-being of its citizens, and the results have just fallen short. The reactive approach to cyber defense, both internationally and domestically, is inefficient and prompts for legislation that will work towards rectifying the root cause of the problem: unpreparedness.
Given the difficulty of estimating the current ubiquity of cybercrimes, more robust legislation and data accumulation about the problem is the best way to control it. It is a common principle of science, business, and logic that something cannot be managed unless it is properly tracked. With cybercrimes, tracking is a major challenge. Chris Kanich, Neha Chachra and McCoy (2011) argued that one of the major issues with even studying, let alone fighting, criminal cyber activity is that there are so many different channels of exploitation and a lack of documented measurement. This results in outright guessing and sometimes ineffective problem-solving techniques. Even successful companies that effectively track cybercrime have difficulty in assigning exact figures and approximations to their losses. Ultimately, understanding the scope of cybercrime would be the first critical step in reducing it for the long-term and with a degree of accuracy. Kanich et al. (2011) strongly lamented that this is not practical without adequate resources and resources:
The operational complexities required to successfully carry out such measurements are significant and rarely documented; blacklisting, payment instruments, fraud controls, and contact management all represent real challenges in such studies. (Kanich et al, 2011, p. 1). Given the unknown scope and nature of cybercrimes in the U.S. and the world, adequate measurement is not available.
By default, a reactive approach to solving problems such as cybercrime is a moot point because it does not tackle the root cause of the problem. Government legislation that is aggressive and focused on tracking the extent and scope of such fraud is the only practical way that the problem can even begin to be resolved. However, the government does not currently use methods that are comprehensive in terms of collecting data. While rudimentary indices and blacklists of criminals are a good step, more work needs to be done. This requires the government to be enabled to collect more data and address the problem with a data-driven mentality.
The current legislation in place regarding cybercrime prevention is ineffective and subject to superiority by the attacker(s). For instance, the most prominent example of this is on the government level in the Iraq War. Brennan (2012) gave numerous anecdotes where he compared the standard protocol for running defensive maneuvers in cybercrime versus the tangible world: in effect, getting authorization to drop bombs on villages based on speculation requires little due process while any manipulation of enemy computer networks requires direct permission from the Secretary of Defense. Clearly, there is a serious flaw when it comes to evaluating the risk/reward ratio of using cyber technology to protect the country. There were also many other examples cited by Brennan where potential threats could have been avoided if the government allowed the military more flexibility in terms of using social media, foreign computer networks, and resources to protect the country (Brennan, 2012). The current legislation in place for fighting cybercrime and using it as a tool makes it a slow and ineffective process.
Inherent Dangers of the Internet. Current legislation doesn’t take into account the inherent dangers of the internet and the ability of attackers to exploit it easily. The internet is vulnerable by design and a breeding ground for exploitation. According to Provos et al. (2009), “unfortunately, the root cause that allows the Web to be leveraged for malware delivery is an inherent lack of security in its design” (p. 6). That is, it was not designed with security and potential abuse in mind. Not only that, but cybercriminals constantly differentiate and adapt their malicious tactics in order to circumvent security efforts:
As a result, academia and industry alike developed effective ways to fortify the network perimeter against such attacks. Unfortunately, the attackers similarly changed tactics, moving away from noisy scanning and concentrating more on stealthy attacks. (Provos et al., 2009, p. 2). If the competitive landscape for cyber activity is dynamic, then laws should be dynamic as well. However, legislation that the U.S. uses is ineffective because it does not change and surely doesn’t have the leverage to make a true impact before the damage is done.
DMCA is Ineffective. For instance, while the Digital Millennium Copyright Act (DMCA) of 1998 intended to protect various industries from online privacy and intellectual property theft, it has been ineffective. The music industry was effectively crippled by the likes of companies like Napster and another peer to peer file sharing sites. These applications allowed criminals to steal billions of dollars’ worth of intellectual property from various industries, including publishing, movie production, and music. The DMCA did nothing but assign guidelines that would be broken because of a lack of enforcement and administrative execution (U.S. Copyright Office, 1998). Even for companies like Napster that were shut down, the damage had been done by then so it was a moot point. If anything, the DMCA has protected some online piracy sites by expunging them of blame for the actions of their third party users (U.S. Copyright Office, 1998).
SOPAs Failure to Pass Legislation. Even when promising legislation like the Stop Online Piracy Act (SOPA) was up for approval, it did not get passed. The 2011 SOPA initiative sought to protect digital property industries like Hollywood by making clear, meaningful laws that would enable them to take more direct legal action (SOPA, 2011). However, even if it had passed, the legislation did not clearly address the international scope of the problem due to its ambiguous nature:
Using existing resources, all training and technical assistance provided by intellectual property attaches appointed under subsection (b), or under other authority, relating to intellectual property enforcement and protection abroad shall be designed to be consistent with the policy and country-specific priorities set forth in the most recent report of USTR under section 182(a) of the Trade Act of 1974. (SOPA, 2011, p. 75). As interpreted above, exceptions would be made for the laws of different nations where the U.S. may not have a physical presence. While policing international cybercrime is surely a daunting challenge in terms of a comprehensive policy framework, SOPA did not do much to establish a new precedent for the problem.
Finally, rapid and effective legislation is needed because of the fact that national security and the lives of millions of Americans can be saved. As international terrorist groups heavily utilize cyber technology to aid their evil endeavors, the U.S. has been merely playing “catch-up.” For instance, Brennan (2012) cited numerous concerns over the efficacy of the U.S. cyber strategy for combating terrorist attack related activities. Such activity has only deepened the need for stronger legislation and intervention: “as Al-Qa’ida and its affiliates and adherents have evolved into much more technically savvy terrorist organizations, their ability to threaten U. S. National Security has likewise increased” (Brennan, 2012, p.1). The impending danger towards American citizens also reflects the use of underground and digital markets for exchanging goods such as weapons and collaborating on malicious plans. Kanich et al (2011) reported that there are many instances of illegal commerce taking place without regulation or oversight of any kind.
As we have seen, the U.S. has posited several solutions to the cybersecurity problem that the country and world are facing. However, current legislation has not been effective in adequately measuring or preventing instances of cyberterrorism, developing fraud detection techniques, and curbing theft and illegal activity. The most robust solution is rapid legislation that gives the government more leverage to control things. While we think of cybercrimes in the context of the 21st century and the internet, the first documented case of cybercrime was in 1820. After that, there have been many other historical cases where the internet and technological infrastructure has been heavily compromised. AT&T and major financial institutions are early case studies that exemplify the severity of the attacks. Since the 1980s, more and more pressure has been placed on nations, individuals and companies to adequately protect themselves. Ultimately, the U.S. government is responsible for passing legislation that will mitigate the problem. Private companies suffer losses from cybercrimes but are apprehensive to support legislation as it may impede on other rights that they value for making profit.
Mainly, the need for rapid legislation stems from the failure of the current system we have. For example, much of the efforts to mitigate cyber threats have been reactive rather than proactive. The military is just one example where U.S. efforts to combat terror have been compromised through inadequate regulatory policies (Brennan, 2012). As far as consumers and citizens are concerned, Provos et al. (2009) argued that there is very little realization and understanding of the problem when it comes to managing our digital lives; people are more susceptible than they think. Next, the government cannot effectively manage cybercrimes because there are no adequate measurement techniques in place. Kanich et al. (2011) cited how even studying cybercrime is a daunting task without the necessary data. This is doubly true for real-world applications such as defending critical digital infrastructure.
Slow response time to cyber threats was also cited as being a major reason for quicker government intervention. The military is another example where certain uses of cyber technology required administrative approval from the Secretary of Defense. This has proved to be ineffective and impractical for using technology to combat cyber terror. The inherent dangers of the internet were regarded as a key reason why the current legislation we have is inadequate. Industries that produce digital goods have been under attack for many years and policies like the DMCA and SOPA have not done much to fix the problem before long-term damage was done. Finally, national security was cited as a key reason that the government needs to focus on addressing the cyber threat quickly. As terrorists use technological means to commit murder and actions against innocent people, the U.S. must be more prepared.
Brennan, J. (2012). United States counter terrorism cyber law and policy, enabling or disabling? USAWC Civilian Research Project , 1, 1-22.
CS&C. (2012). Office of cybersecurity and communications. Department of Homeland Security. Retrieved from www.dhs.gov/office-cybersecurity-and-communications
Caulfield, B. (2011, February 14). Life after Facebook. Forbes. Retrieved from http://www.forbes.com/forbes/2011/0214/features-peter-thiel-social-media-life-after-facebook.html
Etzioni, A. (2011). Cybersecurity in the private sector. Issues in Science and Technology, Fall, 58-63.
Kanich, C., Chachra, N., & McCoy, D. (2011). No plan survives contact: Experience with cybercrime measurement. CSET '11: Proceedings of the 3rd Workshop on Cyber Security Experimentation and Test, August, 1-8.
Ngo, F., & Paternoster, R. (2011). Cybercrime victimization: An examination of individual and situational level factors. International Journal of Cyber Criminology, 5(1), 773-793.
Provos, N., Rajab, M., & Mavrommatis, P. (2009). Cybercrime 2.0: When the cloud turns dark. Association for Computer Machinery, 7(2), 1-8.
U.S. Copyright Office. (1998, December 1). The digital millennium copyright act of 1998. U.S. Copyright Office Summary. Retrieved from www.copyright.gov/legislation/dmca.pdf
SOPA – U.S. House of Representatives. (2011, October 26). Stop Online Piracy Act. Judiciary Hearings Online. Retrieved April 24, 2013, from judiciary.house.gov/hearings/pdf/112%20HR%203261.pdf